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5 TITLE OF THE INVENTION 

EPHEMERAL DECRY PT AB I L I T Y 

CROSS REFERENCE TO RELATED APPLICATIONS 

N/A 

10 

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR 

DEVELOPMENT 
N/A 

15 BACKGROUND OF THE INVENTION 

The present invention relates generally to private 
communications , and more specifically to a system and 
method for providing ephemeral decryptability of 

20 documents, files, and/or messages. 

In recent years, individuals and businesses have 
increasingly employed computer and telecommunications 
networks, such as the World Wide Web (WWW) f to exchange 
messages. These networks typically include a number of 

25 intermediate systems between the source of a message and 

its destination, at which the message may be temporarily 
written to a memory and/or data storage device. Such 
intermediate systems, as well as the communications 
lines within the network itself, are often considered to 

30 be susceptible to actions of a malicious third papty r ^v 0 n: 
which may result in messages being intercepted as they 
are carried through the network. For this reason, 
various types of data encryption have been used for 
private communications through such networks. 
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Encryption algorithms are also sometimes used to support 
integrity checking and authentication of received 
messages- Integrity checking allows the message 

recipient to determine whether the message has been 
5 altered since it was generated, while authentication 

permits the recipient to verify the source of the 
message . 

Specific encryption algorithms are usually thought 
of as being either "symmetric key" or "public key" 

10 systems. In symmetric key encryption, also sometimes 

referred to as "secret key" encryption, the two 
communicating parties use a shared, secret key to both 
encrypt and decrypt messages they exchange. The Data 
Encryption Standard ( DES ) , published in 1977 by the 

15 National Bureau of Standards, and the International Data 

Encryption Algorithm (IDEA) , developed by Xuejia Lai and 
James L. Massey, are examples of well known symmetric 
key encryption techniques. Public key encryption 
systems, in contrast to symmetric key systems, provide 

20 each party with two keys: a private key that is not 

revealed to anyone, and a public key made available to 
everyone. When the public key is used to encrypt a 
message, the resulting encoded message can only be 
decoded using the corresponding private key. Public key 

25 encryption systems also support the use of "digital 

signatures" , which are used to authenticate the sender 
of a message. A digital signature is an encrypted 
digest associated with a particular message, which can 
be analyzed by a holder of a public key to verify that 

30 the message was generated by someone knowing the 
corresponding private key. 
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While encryption protects the encrypted data from 
being understood by someone not in possession of the 
decryption key, the longer such encrypted information is 
stored, the greater potential there may be for such a 
5 key to fall into the wrong hands. For example, key 
escrows are often maintained which keep records of past 
keys. Such records may be stored for convenience in 
order to recover encrypted data when a key has been 
lost, for law enforcement purposes, to permit the police 

10 to eavesdrop on conversations regarding criminal 
activities, or for business management to monitor the 
contents of employee communications. However, as a 
consequence of such long term storage, the keys may be 
discovered over time. 

15 In existing systems, there are various events that 

may result in an encrypted message remaining stored 
beyond its usefulness to a receiving party. First, 
there is no guarantee that a receiver of an encrypted 
message will promptly delete it after it has been read. 

20 Additionally, electronic mail and other types of 

messages may be automatically "backed-up M to secondary 
storage, either at the destination system, or even 
within intermediate systems through which they traverse. 
The time period such back-up copies are stored is 

25 sometimes indeterminate, and outside control of the 

message originator. Thus, it is apparent that even 
under ordinary circumstances, an encrypted message may 
remain in existence well beyond its usefulness, and that 
such longevity may result in the privacy of the message 

30 being compromised. 

Existing systems for secure communications, such as 
the Secure Sockets Layer (SSL) protocol, provide for 
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authenticated; 7 private, real-time communications; - ..In-.~,., r ~ • . w 
the SSL protocol, a server system generates a short term 
public/private key pair, that is certified as authentic 
using a long term private key belonging to the server. 
5 The client uses the short term public key to encrypt a 

symmetric key for use during the session. The server 
periodically changes its short term private key, 
discarding any previous versions. This renders any 
records of previous sessions established using the 

10 former short term public key un-decryptable. Such a - 

system is sometimes referred to as providing "perfect 
forward secrecy". These existing systems, however, 
provide no mechanism for setting or determining a finite 
"lifetime", in terms of decryptability, for stored 

15 encrypted data or messages independent of a real-time 

communications session. 

Accordingly it would be desirable to have a system 
for specifying a finite period after which stored 
encrypted data, such as electronic mail messages, cannot 

20 be decrypted. After such a "decryption lifetime" period 

expires, the encrypted data should become effectively t 
unrecoverable. The system should provide the ability to 
specify such a decryptability lifetime on a per message, 
data unit, or file basis, independent of any particular 

25 real-time communications session. 

BRIEF SUMMARY OF THE INVENTION 

A system and method for providing ephemeral 
30 decryptability is disclosed, which enables a user to 

encrypt data in a way that ensures that the data cannot 
be decrypted after a finite period. One or more 
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- ephemeral encryption^ keys are provided to ._-a*~ party 
wishing to encrypt a message to be passed to a 
destination party. The ephemeral key or keys are each 
associated with an expiration time. Prior to the 
5 expiration time, the party wishing to encrypt the 

message uses the ephemeral encryption key or keys to 
encrypt the message, and passes the encrypted message to 
the destination party. The destination party uses 
ephemeral decryption keys associated with the ephemeral 

10 encryption keys to decrypt the received message. The 

provider of the ephemeral encryption keys destroys at 
least the ephemeral decryption keys such that they 
cannot be recovered after their respective expiration 
times. In the case where ephemeral public/private key 

15 pairs are used, then the ephemeral encryption keys are 

the public keys, the ephemeral decryption keys are the 
private keys. In the case where ephemeral symmetric 
keys are used, then the ephemeral encryption key and its 
associated ephemeral decryption key are the same key. 

20 In the present disclosure, data that has been encrypted 

using any kind of ephemeral key may sometimes be 
referred to as "ephemeral data." 

In a first illustrative embodiment, a first party 
establishes a number of ephemeral public/private key 

25 pairs, each of which will be destroyed at an associated 
time in the future (the "expiration time"), and makes 
them publicly available. A second party then selects 
one of the ephemeral public/private key pairs having an 
expiration time appropriate for its needs, and sends one 

30 or more messages to the first party encrypted using the 

public key from the selected ephemeral key pair. If the 
ephemeral keys are symmetric keys, the second party 
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would request a'n - ephemeral symmetric key from the**-£dr5t-., .*w..^w 0 „; 
party, causing the first party to generate an ephemeral 
symmetric key and securely convey it' to the second 
party. At the expiration time, the first party destroys 
5 all copies of the ephemeral decryption key, thus 

rendering any messages encrypted with the associated 
encryption key permanently undecipherable. 

In a second illustrative embodiment, a number of 
third party entities offer an "ephemerizer service", and 
10 are accordingly referred to as "ephemeral key servers" . . 

or "ephemerizers" . Each ephemerizer publishes a 

selection of ephemeral public/private key pairs, or 
generates ephemeral symmetric keys upon request. Each 
ephemeral key is associated with an expiration time. A 
15 party wishing to encrypt a message acquires one of the 

ephemerizer' s ephemeral encryption .keys with an 
appropriate expiration time. Alternatively, where none 
of the associated expiration times offered by the 
ephemerizer are appropriate for the message to be 
20 transmitted, the party wishing to encrypt that message 

may request an -ephemeral key expiration time or range of en. 
expiration times, in which case the ephemerizer 
* generates an ephemeral key having an appropriate 
expiration time and provides it to the requester. The 
25 requesting party first encrypts the data using an 

encryption key of the party which will receive the 
message, and then encrypts the resulting encrypted data 
again using the acquired ephemeral encryption key. An 
address of the ephemerizer, as well as an indication of 
30 the selected ephemeral encryption key, may also be 

included in the message. When the message is received, 
the receiver first locates the ephemerizer, and asks the 
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" v ephemerizer ^ fb " decrypt at least a portion— of,v* the- u..*.. 
message. The ephemerizer decrypts at least a portion of 
the message as requested and returns the result to the 
receiver. The receiver then completes decryption of the 
5 message as necessary. At the expiration time, the 

ephemerizer permanently destroys the selected ephemeral 
decryption key. 

Ephemerizers are relied upon to be available to 
decrypt messages encrypted using the ephemeral 

10 encryption keys they provide, to recall the associated 

decryption keys until their associated expiration times, 
and to destroy such decryption keys by their associated 
expiration times. However f for various reasons, a given 
ephemerizer may fail to perform one or more of these 

15 tasks. Advantageously, multiple ephemerizers may be 

employed in the disclosed system to address the 
possibility of such failures. In order to address the 
problem of an ephemerizer failing to destroy an 
ephemeral decryption key by its expiration time, 

20 multiple ephemerizers may be used to perform multiple, 

successive encryptions of the data. With this 
approach, if any one of the multiple ephemerizers 
destroys its ephemeral decryption key, the data is no 
longer decryptable. 

25 Another technique employing multiple ephemerizers 

addresses the problem of one or more ephemerizers 
becoming unavailable, or forgetting their ephemeral 
decryption keys prior to their associated expiration 
time. In this approach, a "K of N" scheme is employed 

30 by which the message is encoded using multiple ("N") 

ephemeral encryption keys, provided by N associated 
ephemerizers, such that the recipient of the encrypted 
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- riiessage" only -needs - a-- 'subset-*- "K M of the - . associated v^v.- - ,^,v « ,^ .■. 
ephemerizers to be available and having retained their 
decryption keys to decrypt the message. In this way, 
even if some subset, less than or equal to K - N of the 
5 ephemerizers from which the ephemeral encryption keys 

were obtained, becomes unavailable or forgets an 
associated decryption key, the message may still be 
decrypted by its recipient using the K functioning 
ephemerizers . 

10 In general, ephemerizers may be selected based on a 

recommendation of either communicating party, or, where 
one party distrusts the other party to some degree, 
unilaterally. For example, the recipient may provide a 
list of ephemerizers which may be used by the encrypting 

15 party. Alternatively, the encrypting party may be 

permitted to select the ephemerizer or ephemerizers. 

Thus there is provided a system in which data may 
be encrypted such that it cannot be decrypted after a 
finite period. The system advantageously permits. 

20 selection of an appropriate decryptability lifetime for 

specific ...units of data, such as electronic mail . 4t 
messages. Further, where one or more third party 
ephemerizer systems are used to provide ephemeral keys 
to encrypt a message, such third party ephemerizers may 

25 be employed to destroy the ephemeral keys at their 

expiration times, without burdening the communicating 
parties with this responsibility. 

As a further advantage, it is not necessary to 
encrypt an entire message using an ephemeral encryption 

30 key. Instead, the ephemeral key may simply be used to 

encrypt another key contained within the message 
header. In that case, the message body itself is 



-8- 



WO 01/20836 



PCTAJS00/23997 



: 'ericrypte'd"' such "that it can be decrypted using -the key 
contained in the message header. The receiver of the 
message need send only the message header to the 
appropriate ephemerizer system or systems for 
5 decryption, thus preserving communications bandwidth and 

improving throughput . 

Another advantage of the disclosed system arises 
from the fact that any data sent to an ephemerizer 
system for decryption may be further encrypted, for 
10 example prior to encryption with any ephemeral key. In 

* such an embodiment, the ephemerizer system or systems 
are not exposed to fully decrypted data ("plaintext"), 
and accordingly need not be completely trusted. 

15 BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING 

The invention will be more fully understood by 
reference to the following detailed description of the 
invention in conjunction with the drawings, of which: 
20 Fig. 1 shows an ephemeral key pair list; 

Fig. 2 shows an ephemeral message format used in a first 

illustrative embodiment of the invention; 

Fig. 3 shows steps performed to generate and receive an 

• ephemeral message in the first embodiment of the 
25 invention; 

Fig. 4 shows several ephemerizers together with a number 
of user parties in a second illustrative embodiment of 
the invention; 

Fig. 5 shows an ephemeral message format used in the 
30 second embodiment of the invention; 
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. - ..i pig; 6 shows'* steps -performed to- generate and .process an^,vr,.... 

ephemeral message in the second embodiment of the 
invention; 

Fig. 7 shows an ephemeral message format which may be 
5 used when multiple ephemerizers are employed to perform 

multiple successive encryptions using ephemeral 
encryption keys; and 

Fig. 8 shows an ephemeral message format which may be 
used when multiple ephemerizers are employed to perform 
10 a K of N form of encryption. 

DETAILED DESCRIPTION OF THE INVENTION 

Consistent with the present invention, a system and 

15 method for providing ephemeral decryptability is 

disclosed which enables a user to ensure that encrypted 
messages will become undecryptable after a certain point 
in time. As shown in Fig. 1, an ephemeral key pair list 
includes a number of ephemeral key pairs 12. Each 

20 ephemeral key pair includes a public key part 14, a 

private key part 16, and an associated expiration time 
18. The public key part 14 and associated expiration 
times 18 of the ephemeral key pairs may be read by 
parties wishing to use one or more of the ephemeral key 

25 pairs 12, but the private key part 16 of each ephemeral 

key is accessible only to the publisher of the ephemeral 
key list 12. As in conventional public key encryption 
techniques, data encrypted using one of the public keys 
14 can only be decrypted using the private key 16 from 

30 the same ephemeral key pair. Each of the ephemeral key 
pairs 12 represents a promise by the publisher of the 
ephemeral key pair list 12 that the ephemeral key pair 
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destroyed - at v the ^associated - 

expiration time. 

Fig* 2 shows an illustrative ephemeral message 
format 30 employed in a first embodiment of the 
5 invention. The ephemeral message format 30 is shown 

including a message key portion 32, as well as a message 
body portion 34. The message key portion 32 contains a 
symmetric key, which itself has been encrypted by use of 
an ephemeral encryption key, such as either a public key 

10 from an ephemeral key pair, or an ephemeral symmetric 

key* The message portion 34 contains a message that has 
been encrypted using the symmetric key stored in the 
message key portion 32. Accordingly, in order to read 
the message in the message body portion 34, the 

15 symmetric key in the message key portion 32 must first 

be decrypted using the appropriate ephemeral decryption 
key, for example either a private key from the same 
ephemeral key pair as the public key used to encrypt the 
symmetric key in the message key portion 32, or the 

20 ephemeral symmetric key used to encrypt the symmetric 

key in the message key portion 32 • The decrypted 
symmetric key in the message key portion 32 can then be 
used to decrypt the message body 34. Use of an 
ephemerally decryptable symmetric key stored within a 

25 message header is desirable because this limits the 
amount of data which must be decrypted using the 
ephemeral decryption key. This is especially 

significant where the ephemeral decryption key is a 
private key of an ephemeral key pair, because decryption 

30 using a symmetric key is significantly less 
computationally intense than decryption using a private 
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keiy / * 'Accordingly; the • amount of the message encrypted, 
using the ephemeral public key may be minimized. 

As shown in the flow chart of Fig. 3, in the first 
embodiment of the invention, and where ephemeral 
5 public/private key pairs are employed,, a first party may 

announce a current ephemeral key pair list at step 40. 
Alternatively at step 40, where ephemeral symmetric keys 
are employed, the first party may simply accept a 
request for an ephemeral symmetric key from a second 

10 party wishing to pass ephemeral data to the first party. 

The first party and second party described in connection 
with Fig. 3 may be software processes, personal 
computers, workstations, or any other type of devices 
which are capable of exchanging messages by way of a 

15 communications or messaging infrastructure such as a 

computer network or the internet* 

At step 42, in the case where ephemeral 
public/private key pairs are employed, the second party 
selects an ephemeral key pair from the ephemeral key 

20 pair list announced by the first party at step 40. If 

ephemeral symmetric keys are used, then at step 42 the 
second party receives an ephemeral symmetric key from 
the first party in response to the previous ephemeral 
key request. An ephemeral key pair list may include 

25 ephemeral key pairs having a variety of different 

associated expiration times, thus allowing the second 
party to select an ephemeral key pair having an 
associated expiration time adequate to both permit a 
particular message to be passed to the first party and 

30 permit the first party to read and/or otherwise process 
the message. The second party may provide a desired 
expiration time or expiration time range to the first 
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>f "party, causing * the f irst patty - to provide an ephemeral - 
key pair or ephemeral symmetric key having a requested 
expiration time. When an ephemeral symmetric key is 
provided to the second party f it should be conveyed in a 
5 secure manner, for example through a conventional 

encrypted tunnel mechanism. 

At step 44, the second party encrypts the message 
using the ephemeral encryption key, for example either a 
public key from a selected ephemeral key pair, or a 

10 securely provided ephemeral symmetric key. To provide 

efficient processing, and because symmetric key 
encryption may be significantly more efficient than 
public key encryption, the second party may first 
encrypt the message body using a symmetric key, then 

15 encrypt that symmetric key using the ephemeral 

encryption key, and include the encrypted symmetric key 
as part of the message, for example in the message 
header ♦ The message body may alternatively or 

additionally be encrypted using the ephemeral encryption 

20 key. At step 46, the second party passes the message to 

the first party via a • communications or messaging 
infrastructure such as a computer network or the 
internet. 

At step 48, the first party decrypts the symmetric 
25 key in the message using an ephemeral decryption key, 

for example either the private key from the selected 
ephemeral key pair, or the ephemeral symmetric key 
previously provided to the second party. The first 
party further uses the decrypted symmetric key from the 
30 message to decrypt the message body. Where the message 
body was encrypted using the ephemeral encryption key, 
the first party uses the ephemeral decryption key to 
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:v: ' 'decrypt tKe' message" body . The first -party then- reads or- 
otherwise processes the message without storing a 
decrypted copy of it which could later be discovered and 
read by an unauthorized party. At step 50 the first 
5 party destroys the ephemeral decryption key at the 

associated expiration time such that it cannot be 
recovered. Such a destruction capability may be 
provided in a hardware device which stores at least the 
ephemeral decryption keys and which only allows them to 

10 be read after receiving proof of a current time prior to 

the expiration time, or which erases the. memory in which 
the ephemeral decryption keys are stored at their 
associated expiration times such that they cannot be 
recovered, for example by powering down a volatile 

15 memory in which the ephemeral keys are stored. 

A second embodiment of the invention, as 
illustrated in Fig. 4, includes one or more ephemerizers 
60 shown as Ephemerizer 1 through Ephemerizer M. Each 
of the ephemerizers 60 may supply ephemeral encryption 

20 keys to one or more of a number of parties 62. For 

example, one or more of the ephemerizers 60 may include 
an ephemeral key pair list, including expiration times 
associated with each ephemeral key pair, which is 
accessible to one or more of the parties 62. Further, 

25 one or more of the ephemerizers 60 may provide, upon 

request, ephemeral symmetric keys. The parties 62, 
shown as party 1 through party M, are communicative with 
the ephemerizers 60, via a communications or messaging 
infrastructure such as a computer network or the 
30 internet. Each of the parties 62 and/or ephemerizers 

60, may be a software process, personal computer, 
workstation, or any other type of device which is 
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capable ~-6f ; exchanging messages -by way - - of a — * . 
communications or messaging infrastructure. 

During operation of the components shown in Fig. 4, 
and as described in further detail with reference to 
5 Fig. 6, the parties 62 may read public keys from 

ephemeral key pairs made publicly accessible by the 
ephemerizers 60, and/or pass requests 64 for ephemeral 
keys having certain associated expiration times to the 
ephemerizers 60. The parties 62 also pass decryption 

10 requests 66 to the ephemerizers 60. The ephemerizers 60 

may pass ephemeral encryption keys 68 and partly 
decrypted data 70 to the parties 62. The partly 
decrypted data 70 is "partly" decrypted in the sense 
that while it has been decrypted using an ephemeral 

15 decryption key by one of the ephemerizers 60, it may 

still require decryption using another decryption key 
which is unknown to that ephemerizer. 

Fig. 5 shows an example of an ephemeral message 
format 80 applicable, for example, to the second 

20 embodiment of the invention as shown in Fig. 4. The 

ephemeral message format 80 includes an ephemerizer 
identifier 82 identifying one of the ephemerizers 60, 
such as a Uniform Resource Locator (URL) , Internet 
Protocol (IP) address and port number combination, or 

25 other type of name or address information. The message 

format 80 further includes an ephemeral encryption key 
identifier 84, such as an index, remote reference, or 
pointer, for example indicating an ephemeral key pair 
within an ephemeral key pair list published by the 

30 ephemerizer identified by the ephemerizer identifier 82. 

Alternatively, the ephemeral encryption key identifier 
84 may indicate an ephemeral symmetric key known by that 
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* : 1 ephemerizer. ~ --'A- message key portion 86- inpiudes-, , 
symmetric key encrypted by both an encryption key of the 
destination party to which the message will be passed, 
as well as by the ephemeral encryption key indicated by 
5 the ephemeral encryption key identifier 84. The message 
body portion 88 is encrypted with the symmetric key 
included in the message key portion 86. 

Fig. 6 illustrates steps performed during operation 
of the second embodiment of the invention. At step 100, 

10 in the case where ephemeral public/private key pairs are 
employed, an ephemerizer may make an ephemeral key pair 
list publicly available. However, in the case where 
ephemeral symmetric keys are provided by an ephemerizer, 
such keys would not be made publicly accessible, but 

15 would instead be provided in response to ephemeral key 
requests . 

At step 102, Party A obtains an ephemeral 
encryption key, for example by selecting an ephemeral 
key pair from an ephemeral key pair list, or by 

20 receiving an ephemeral symmetric key provided by an 

... ephemerizer in response to a previous. ..ephemeral key 
request. The ephemeral encryption key may be selected 
or requested in such a way that it has an associated 
expiration time appropriate for a message Party A 

25 intends to pass to Party B. For example, Party A may 

select a publicly available ephemeral key pair having an 
appropriate associated expiration time. Alternatively, 
Party A may indicate a desired expiration time or range 
of times to the ephemerizer in a ephemeral key request, 

30 causing the ephemerizer to provide an ephemeral 
encryption key having the requested expiration time. 
Where the message to be passed is an electronic mail 
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" ' mess^S, Party-- A - -may —reasonably obtain an -ephemeral 
encryption key associated with an expiration time that 
is one week in the future. Such a decryption lifetime 
would allow for the possibility that a recipient of the 
5 message may not check or read his or her received 
messages on a more frequent basis. The desired 
decryption period may also be calculated to take into 
consideration communication links and/or intermediate 
networking devices between Party A and Party B f which 

10 may become temporarily unusable, thus potentially 
delaying delivery of the message. 

At step 104, Party A encrypts the message to be 
sent to Party B. Consistent with the message format 80 
shown in Fig. 5, Party A encrypts the message body using 

15 a symmetric key, and doubly encrypts that symmetric key, 

first using an encryption key of Party B, and then 
applying the ephemeral encryption key to the result. 
Party A includes the doubly encrypted symmetric key in 
the message, as well as indications of the ephemerizer 

20 and ephemeral encryption key, and passes the complete 

message to Party B-. Upon receipt of the message from 
Party A, at step 106, Party B sends the doubly encrypted 
symmetric key to the ephemerizer indicated within the 
message. 

25 At step 108, the ephemerizer applies the 

appropriate ephemeral decryption key to the doubly 
encrypted symmetric key, for example using a private key 
from an ephemeral key pair also including the public key 
used as the ephemeral encryption key for the message. 

30 The result of this decryption is a copy of the symmetric 

key still encrypted by the encryption key of Party B. 
The ephemerizer passes this still encrypted symmetric 
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^|ief teck to v fartf 'Bf whith then uses its own- decryption 
key to complete decrypting the symmetric key at step 
108. Party B uses the completely decrypted symmetric 
key to decrypt the body of the message. Party B assures 
5 that all reading or processing of the decrypted message 
is performed without storing a copy of the decrypted 
message that could later be read by an unauthorized 
party, and that all temporary copies of the decrypted 
message are irretrievably destroyed. The ephemerizer 
10 permanently destroys the ephemeral decryption key at the 
associated expiration time in step 112, 

Other aspects and variations of the disclosed 
embodiments are now described. In both the first and 
second embodiment, ephemeral key pairs may be shared, in 
15 the sense that multiple encrypting parties may use the 

same public key from a given ephemeral key pair. 
Additionally, a public key of an ephemeral key pair may 
be used to encrypt multiple messages or files, by the 
same or different encrypting parties. As described 
20 above, message keys may be doubly encrypted to ensure 

ephemerizers cannot access fully decrypted message text. 
In the first embodiment (Fig. 3), ephemeral key pairs 
may be shared, even where messages or message keys are 
only singly encrypted with the public ephemeral key. 
25 As illustrated by the ephemeral message format 120 

shown in Fig. 7, multiple ephemerizers may be used to 
successively encrypt the message symmetric key, message 
body, or portions thereof. The ephemeral message format 
120 includes a list of identifiers for N ephemerizers, 
30 together with identifiers for N associated ephemeral 
encryption keys. Specifically shown are ephemerizer 1 
identifier 122, ephemeral encryption key 1 identifier 
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1 124/ ephefoetizer'^ -identifier 126, ephemeral- encryption.. . 
key 2 identifier 128, and so forth through ephemerizer N 
identifier 130 and ephemeral encryption key N identifier 
132, The message key portion 134 of the ephemeral 
5 message format 120 includes a symmetric key which was 
used to encrypt the message body 136, and which has been 
successively encrypted with each of the ephemeral 
. encryption keys 1 through N of the ephemerizers 1 
through N. Accordingly, in order to decrypt the message 
10 body 136, the receiver must use each of the ephemerizers .. 

1 through N to successively decrypt the symmetric key in 
the message, so that the message body 136 may be 
decrypted using the decrypted symmetric key. Thus when 
multiple ephemerizers are used to provide encryption of 
15 a message in the message format 120, if at least one of 

the corresponding ephemeral private keys is destroyed at 
the associated expiration time, the message becomes 
completely un-decryptable at that time. 

In another technique using multiple ephemerizers, 
20 and as illustrated by the ephemeral message format 140 

shown in -Fig. 8, a set of N ephemerizers may be used to - 
encrypt a message key in a way that permits decryption 
using a subset of K ephemerizers of the N encrypting 
ephemerizers. Such an approach may exploit conventional 
25 "K of N" secret-sharing algorithms. The ephemeral 

message format 140 includes a list of identifiers for N 
ephemerizers, together with identifiers for N associated 
ephemeral encryption keys. Specifically shown are 
ephemerizer 1 identifier 142, ephemeral encryption key 1 
30 identifier 144, ephemerizer 2 identifier 146, ephemeral 

encryption key 2 identifier 148, and so forth through 
ephemerizer N identifier 150 and ephemeral encryption 
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~ ' key 'N identifier" 152. The message *ey < portion 134 >oL 

the ephemeral message format 140 includes a symmetric 
key which was used to encrypt the message body 156 , and 
which has been encrypted with the ephemeral encryption 
5 keys 1 through N of the ephemerizers 1 through N, such 

that the decryption keys associated with only K of the 
ephemeral encryption keys 1 through N are necessary to 
decrypt it. Accordingly, the receiver of the message 
need only use K of the N ephemerizers used to encrypt 

10 the message to decrypt the message, enabling the message 

to be decrypted even in the case where up to N - K of 
the N encrypting ephemerizers either become unavailable, 
or forget the necessary ephemeral decryption keys prior 
to the appropriate expiration time. 

15 As a further illustration of using multiple 

ephemerizers, an ephemeral message may be encrypted in j 
stages, using a series of j independent ephemerizer 
sets. At each stage, an ephemerizer set associated with 
that stage operates on the results from an ephemerizer 

20 set associated with the previous encryption stage. Each 

ephemerizer set may consist of a single necessary 
ephemerizer, multiple necessary ephemerizers, or 
multiple ephemerizers employing a K of N type encryption 
algorithm. Accordingly, the ephemerizer sets may be 

25 represented by the following expression: 

{ (K 4 , N x >, (K 2 , N 2 ) • . . (Kj, Nj) > 

If Ki=Ni=l, then a single necessary ephemerizer is used 
30 at that stage, if Ki-Ni>l then multiple necessary 

ephemerizers are used at that stage, and if Ki<Ni then Ki 
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*wv~ 'the Nrepfiemefizers in the set are necessary -at that 

stage of decryption. 

While the preceding alternatives are discussed with 
regard to encryption using a message key contained 
5 within the message to encrypt the message body, they are 
also applicable where the message body itself is 
encrypted, at least in part, using the ephemeral 
encryption key or keys. It is also possible to apply 
the disclosed system to messages which include multiple 
10 symmetric keys that are used to encrypt different 

portions of the message, or which are used in 
combination to encrypt the message multiple times. For 
example, a message format may be employed in which the 
message body is encrypted using a first symmetric key 
15 Ki. A version of Ki that is encrypted using a public key 

of the message recipient is included in the message. A 
second symmetric key K 2 is then used to again encrypt Ki 
and the message body. A version of K 2 that is encrypted 
using a first ephemeral encryption key is also included 
20 in the message. Another symmetric key K 3 may then be 

used to again encrypt K 2 , Ki, and the message body. A 
version of K 3 encrypted with a second ephemeral 
encryption key is also included in the message. This 
type of ephemeral message format is extensible to employ 
25 as many symmetric keys within the message as are needed. 

While in many circumstances the disclosed system 
may be preferably applied using ephemeral public/private 
key pairs, ephemeral symmetric keys may be desirable in 
some implementations or operational environments. 
30 Ephemeral symmetric keys may be used for single stage 

encryption using a single key, or as part of a multi- 
stage encryption using multiple keys. In multi-stage 
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encryption,*^ keys may be - used in. 

combination with other types of ephemeral keys including 
public keys of ephemeral public/private key pairs . 

With regard to ephemerizer business models, the 
5 ephemerizer service of the second embodiment may be 

designed to charge for use of ephemeral key pairs f or 
for the decryption service provided to the recipient of 
a message encrypted with an ephemeral public key. Such 
charging may, for example be based on message size or 
10 average number of messages over time. 

Those skilled in the art should readily appreciate 
that the programs defining the functions of the present 
invention can be delivered to a computer in many forms ; 
including, but not limited to: (a) information 
15 permanently stored on non-writable storage media (e.g. 

read only memory devices within a computer such as ROM 
or CD-ROM disks readable by a computer I/O attachment); 
(b) information alterably stored on writable storage 
media (e.g. floppy disks and hard drives); or (c) 
20 information conveyed to a computer through communication 

media for example using baseband signaling or broadband 
signaling techniques f including carrier wave signaling 
techniques, such as over computer or telephone networks 
via a modem. In addition, while the invention may be 
25 embodied in computer software, the functions necessary 

to implement the invention may alternatively be embodied 
in part or in whole using hardware components such as 
Application Specific Integrated Circuits or other 
hardware, or some combination of hardware components and 
30 software. 

In an exemplary hardware platform on which a 
software based implementation of the present invention 
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" would execute) the program code executes on one br more 
processors/ for example a microprocessor. The program 
code may be stored in, and may be executed on the 
processor from, a memory such as a Random Access Memory 
5 (RAM) or Read Only Memory (ROM) . The memory storing the 

program code is communicable with the processor, for 
example by way of a memory bus. In addition, the 
exemplary platform may include various input /output 
(I/O) devices, such as a keyboard and mouse, as well as 

10 secondary data storage devices such as magnetic and/or 

optical disks. As mentioned above, a destruction 
capability may be provided in a hardware device which 
stores at least the ephemeral decryption keys and which 
only allows them to be read after receiving proof of a 

15 * current time prior to the expiration time, or which 
erases the memory in which the ephemeral decryption keys 
are stored at their associated expiration times such 
that they cannot be recovered, for example by powering 
down a volatile memory in which the ephemeral keys are 

20 stored. 

While the invention is described through the above 
exemplary embodiments, it will be understood by those of 
ordinary skill in the art that modification to and 
variation of the illustrated embodiments may be made 

25 without departing from the inventive concepts herein 

disclosed. Specifically, while the preferred embodiments 
are disclosed with reference to messages passed between 
users of a computer network, the invention ...may be 
employed in any context in which messages are passed 
30 between communicating entities. Moreover, while the 

preferred embodiments are described in connection with 
various illustrative data structures, one skilled in the 
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art will recognize* that the system may be embodied us.ing^ 
a variety of specific data structures. Accordingly, the 
invention should not be viewed as limited except by the 
scope and spirit of the appended claims. 
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" " ' ' CLAIMS 

What is claimed is: 

5 1. A method of supporting data encryption, comprising: 

providing, by a first party, at least one 
encryption key associated with an expiration time to a 
second party; 

receiving data encrypted by said second party using 
10 said encryption key; 

decrypting, at least in part, said encrypted data 
using a decryption key associated with said encryption 
key; and 

destroying, by saj^d first party, said decryption 
15 key associated with said encryption key at said 

expiration time, 

2* The method of claim 1, wherein said encryption key is 
a symmetric encryption key, and wherein said decryption 
20 key associated with said encryption key is the same as 

said encryption key* 

3. The method of claim 1, further comprising receiving 
an encryption key request from said second party, said 

25 encryption key request including a requested expiration 
time range* 

4. The method of claim 3, wherein said providing said at 
least one encryption key by said first party is 

30 responsive to said receiving said encryption key request 

from said second party, and wherein said associated 
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expiration time is within said requested expiration time 
range . 

5. The method of claim 1 # wherein said encryption key is 
5 a public key of an encryption key pair, said encryption 

key pair further including a private key, and wherein 
said decryption key is the same as said private key. 

6. The method of claim 5, wherein said encryption key 
10 pair is one of a plurality of encryption key pairs, each 

of said plurality of encryption key pairs including a 
public and a private key, each of said encryption key 
pairs associated with a respective expiration time. 

15 7. The method of claim 6, wherein said public keys and 

said expiration times of said plurality of encryption 
key pairs are accessible to said second party . 

8. The method of claim 7, further comprising selecting, 
20 by said second party, one of said encryption key pairs, 

said selected one of said encryption key pairs including 
a public key equal to said encryption key, and said 
selected one of said encryption key pairs having a 
respective expiration time equal to said expiration time 
25 associated with said encryption key. 

9. The method of claim 1 wherein said encrypted data 
includes at least a portion of an electronic . -mail 
message . 

30 

10. The method of claim 1 wherein said encrypted data 
includes at least a portion of a file. 



-26- 



WO 01/20836 



PCT/US00/23997 



11. The method of claim 8 wherein said encrypted data 
includes indication of said selected one of said 
plurality of encryption key pairs. 

5 

12. The method of claim 1 wherein said encrypted data 
includes a second encryption key. 

13. The method of claim 12, wherein said encrypted data 
10 further includes a message body encrypted, at least in 

part, using said second encryption key. 

14. The method of claim 13, wherein said second 
encryption key is a symmetric encryption key. 

15 

15. The method of claim 8, wherein data encrypted with 
a public key of said selected one of said plurality of 
encryption key pairs includes a message body. 

20 16. The method of claim 8, wherein said data encrypted 

with a public key of said selected one of said plurality 
of encryption key pairs is previously encrypted using a 
second encryption key associated with said first party. 

25 17. The method of claim 1, wherein said encrypted data 

is received from said second party via a computer 
network. 

18. The method of claim 1, further comprising 
30 transferring, by said second party, said data encrypted 

using said encryption key to a third party. 
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19. The method of claim 1, wherein at least a portion of 
said data encrypted by said second party using said 
encryption key is received by said first party from said 
second party. 

5 

20. The method of claim 18, wherein at least a portion 
of said data encrypted by said second party using said 
encryption key is received by said first party from said 
third party. 

10 

21. The method of claim 20 , further comprising 
transferring, by said first party to said third party, a 
result of said decrypting, at least in part, said 
encrypted data using a< decryption key associated with 

15 said encryption key. 

22. The method of claim 1, further comprising providing, 
by said third party, an identity of said first party to 
said second party. 

20 

23. The method of claim 22, wherein said identity of 
said first party is included within a list of ephemeral 
key servers provided to said second party by said third 
party. 

25 

24 > The method of claim 1, further comprising selecting 
said first party by said second party. 

25. A computer program product including a computer 
30 readable medium, said computer readable medium having a 

• data encryption computer program stored thereon, said 
data encryption computer program comprising: 
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program code for providing, by a first party, at 
least one encryption key associated with an expiration 
time to a second party; 

program code for receiving data encrypted by said 
5 second party using said encryption key; 

program code for decrypting, at least in part, said 
encrypted data using a decryption key associated with 
said encryption key; and 

program code for destroying, by said first party, 
10 said decryption key associated with said encryption at 

said expiration time. 

26. A computer data signal embodied in a carrier wave, 
said computer data signal including a computer program 
for providing data encryption, said data encryption 
computer program comprising: 

program code for providing, by a first party, at 
least one encryption key associated with an expiration 
time to a second party; 

program code for receiving data encrypted by said 
second party using said encryption key; 

program code for decrypting, at least in part, said 
encrypted data using a decryption key associated with 
said encryption key; and 

program code for destroying, by said first party, 
said decryption key associated with said encryption at 
said expiration time. 

27. A method of encrypting data to be passed from a 
30 first party to a second party, comprising: 

providing a plurality of encryption keys to said 
first party, each of said plurality of encryption keys 
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associated" with at least one of a plurality of- 
encryption key servers, each of said plurality of 
encryption keys having an associated decryption key and 
an associated expiration time; 
5 successively encrypting said data, by said first 

party, using each one of said plurality of encryption 
keys; 

decrypting, at least in part, said encrypted data, 
by at least a subset of said plurality of encryption key 
10 servers, using at least an associated subset of said 

decryption keys associated with said encryption keys; 
and 

destroying at least one of said plurality of 
encryption keys by at least an associated one of said 
15 plurality of encryption key servers. 

28. A computer program product including a computer 
readable medium, said computer readable medium having a 
data encryption computer program stored thereon, said 

20 data encryption computer program comprising: 

program code for providing a plurality *of 
encryption keys to said first party, each of said 
plurality of encryption keys associated with at least 
one of a plurality of encryption key servers, each of 

25 said plurality of encryption keys having an associated 

decryption key and an associated expiration time; 

program code for encrypting said data, by said 
first party, using each one of said plurality of 
encryption keys; 

30 program code for decrypting, at least in part, said 

encrypted data, by at least a subset of said plurality 
of encryption key servers, using at least an associated 
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subset" of said decryption keys associated with said 
encryption keys; and 

program code for destroying at least one of said 
plurality of encryption keys by at least an associated 
5 one of said plurality of encryption key servers. 

29. A computer data signal embodied in a carrier wave, 
said computer data signal including a computer program 
for providing data encryption, said data encryption 

10 computer program comprising: 

program code for providing a plurality of 
encryption keys to said first party, each of said 
plurality of encryption keys associated with at least 
one of a plurality of encryption key servers, each of 

15 said plurality of encryption keys having an associated 

decryption key and an associated expiration time; 

program code for encrypting said data, by said 
first party, using each one of said plurality of 
encryption keys; 

20 program code for decrypting, at least in part, said 

encrypted data, by at least a subset of said plurality 
of encryption key servers, using at least an associated 
subset of said decryption keys associated with said 
encryption keys; and 

25 program code for destroying at least one of said 

plurality of encryption keys by at least an associated 
one of said plurality of encryption key servers, 

30. h method of encrypting data to be passed from a 
30 first party to a second party, comprising: 

providing a plurality of N encryption keys to said 
first party, each of said plurality of N encryption keys 
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associated 'with a "respective one of a plurality of^N 
encryption key servers, each of said plurality of N 
encryption keys having an associated decryption key and 
an associated expiration time; 
5 encrypting said data, by said first party, using 

each one of said plurality of N encryption keys, said 
encryption performed such that at least K of said 
associated decryption keys are required. to decrypt said 
data, where K is less than N; 
10 decrypting said encrypted data using less than N, 

but at least K of said plurality of N encryption key 
servers, using at least K of said associated decryption 
keys; and 

destroying said associated decryption keys by said 
15 plurality of N encryption servers at said associated 

expiration time. 

31 • A method of encrypting data to be passed from a 
first party to a second party, comprising: 

20 encrypting said data in a plurality of encryption 

stages, using a respective set of one or more encryption 
key servers at each one or said plurality of encryption 
stages, wherein each encryption key server provides an 
encryption key associated with a decryption key and an 

25 expiration time, and wherein said data is encrypted in 
at least one of said plurality of encryption stages such 
that less than all of the associated decryption keys of 
. the encryption key servers in the respective encryption 
key server set are necessary to decrypt said data at 

30 that one of said plurality of encryption stages; 

decrypting, at least in part, said encrypted data, 
using less than all of said encryption key servers in 
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said encryption' key server set associated with said at 
least one of said plurality of encryption stages; and 

destroying said associated decryption keys by said 
encryption key servers at said associated expiration 
5 time. 

32. A method of supporting data encryption, comprising: 
providing at least one encryption key associated 

with an expiration time; 
10 receiving data encrypted using said encryption key; 

decrypting, at least in part, said encrypted data 
using a decryption key associated with said encryption 
key; and 

destroying said decryption key associated with said 
15 encryption at said expiration time. 

33. The method of claim 32, wherein said encryption key 
is a symmetric encryption key, and wherein said 
decryption key associated with said encryption key is 

20 the same as said encryption key. 

34. The method of claim 32, further comprising receiving 
an encryption key request, said encryption key request 
including a requested expiration time range. 

25 

35. The method of claim 34, wherein said providing said 
at least one encryption key is responsive to said 
receiving said encryption key request, and wherein said 
associated expiration time is within said requested 

30 expiration time range. 
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36. The method of claim 32, wherein said encryption key 
is a public key of an encryption key pair, said 
encryption key pair further including a private key, and 
wherein said decryption key is the same as said private 

5 key. 

37. The method of claim 36, wherein said encryption key 
pair is one of a plurality of encryption key pairs, each 
of said plurality of encryption key pairs including a 

10 public and a private key, each of said encryption key 

pairs associated with a respective expiration time, 

38. The method of claim 37, wherein said public keys and 
said expiration times of said plurality of encryption 

15 key pairs are publicly accessible. 

39. The method of claim 32 wherein said encrypted data 
includes at least a portion of an electronic mail 
message. 

20 

40. The method of claim 32 wherein said encrypted data 
includes at least a portion of a file. 

41. The method of claim 32 wherein said encrypted data 
25 includes a second encryption key. 

42. The method of claim 41, wherein said encrypted data 
* further includes a message body encrypted, at least in 

part, using said second encryption key. 

30 

43. The method of claim 42, wherein said second 
encryption key is a symmetric encryption key. 
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44. The method of claim 32, wherein said encrypted data 
is received via a computer network. 

5 45. A method of supporting data encryption, comprising: 

obtaining an encryption key associated with an 
expiration time, said expiration time indicating a time 
at which a decryption key associated with said 
encryption key will be destroyed; 
10 encrypting data using said encryption key; and 

transmitting said encrypted data to a second party 
prior to said expiration time. 

46. The method of claim 45, wherein said encryption key 
15 is a symmetric encryption key, and wherein said 

decryption key associated with said encryption key is 
the same as said encryption key. 

47. The method of claim 45, said obtaining further 
20 comprising transmitting an encryption key request to 

said second party, said encryption key request including 
a requested expiration time range. 

48. The method of claim 47, wherein said associated 
25 expiration time is within said requested, expiration time 

range * 

49. The method, of claim 45, wherein said encryption . key 
is a public key of an encryption key pair, said 

30 encryption key pair further including a private key, and 
wherein said decryption key is the same as said private 
key. 
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50. The method of claim 4 9, wherein said encryption key 
pair is one of a plurality of encryption key pairs , each 
of said plurality of encryption key pairs including a 

5 public and a private key, each of said encryption key 

pairs associated with a respective expiration time. 

51. The method of claim 50, further comprising selecting 
one of said encryption key pairs, said selected one of 

10 said encryption key pairs including a public key equal 

to said encryption key, and said selected one of said 
encryption key pairs having a respective expiration time 
equal to said expiration time associated with said 
encryption key. 

15 

52. The method of claim 4 5 wherein said encrypted data 
includes at least a portion of an electronic mail 
message. 

20 53. The method of claim 45 wherein said encrypted data 

includes at least a portion of a file. 

54. The method of claim 51 wherein said encrypted data 
includes indication of said selected one of said 

25 plurality of encryption key pairs. 

55. The method of claim 4 5 wherein said encrypted data 
includes a second encryption key. 

30 56. The method of claim 55, wherein said encrypted data 

further includes a message body encrypted, at least in 
part, using said second encryption key. 
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57. The method of claim 56, wherein said second 
encryption key is a symmetric encryption key. 

5 58. The method of claim 51 r wherein data encrypted with 

a public key of said selected one of said plurality of 
encryption key pairs includes a message body. 

59. The method of claim 51, wherein said data encrypted 
10 with a public key of said selected one of said plurality 

of encryption key pairs is previously encrypted using a 
second encryption key associated with said first party. 

60. The method of claim 45, wherein said encrypted data 
15 is transmitted to said second party via a computer 

network. 

61. A system for supporting data encryption, 
comprising: 

20 means for providing, by a first party, at least one 

encryption key associated with an expiration time to a 
second party; 

means for receiving data encrypted by said second 
party using said encryption key; 
25 means for decrypting, at least in part, said 

encrypted data using a decryption key associated with 
said encryption key; and 

means for destroying, by said first party, said 
decryption key associated with said encryption at said 
30 expiration time. 
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62. A system for encrypting data to be passed from a 
first party to a second party, comprising: 

means for providing a plurality of encryption keys 
to said first party, each of said plurality of 
5 encryption keys associated with at least one of a 

plurality of encryption key servers, each of said 
plurality of encryption keys having an associated 
decryption key and an associated expiration time; 

means for successively encrypting said data, by 
10 said first party, using each one of said plurality of 
encryption keys ; 

means for decrypting, at least in part, said 
encrypted data, by at least a subset of said plurality 
of encryption key servej^, using at least an associated 
15 subset of said decryption keys associated with said 

encryption keys; and 

means for destroying at least one of said plurality 
of encryption keys by at least an associated one of said 
plurality of encryption key servers • 

20 

63. A system for encrypting data to be passed from a - 
first party to a second party, comprising: 

means for providing a plurality of N encryption 
keys to said first party, each of said plurality of N 
25 encryption keys associated with a respective one of a 
plurality of N encryption key servers, each of said 
plurality of N encryption keys having an associated 
decryption key and- axv associated expiration time; 

encrypting said data, by said first party, using 
30 each one of said plurality of N encryption keys, said 
encryption performed such that at least K of said 
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associated decryption keys are required to decrypt said 
data, where K is less than N; 

decrypting said encrypted data using less than N, 
but at least K of said plurality of N encryption key 
5 servers, using at least K of said associated decryption 
keys; and 

destroying said associated decryption keys by said 
. plurality of N encryption servers at said associated 
expiration time. 

10 

64. A system for encrypting data to be passed from a 
first party to a second party, comprising: 

means for encrypting said data in a plurality of 
encryption stages, using a respective set of one or more 
15 encryption key servers at each one or said plurality of 
encryption stages, wherein each encryption key server 
provides an encryption key associated with a decryption 
key and an expiration time, and wherein said data is 
encrypted in at least one of said plurality of 
20 encryption stages such that less than all of the 

associated decryption keys of the encryption key servers 
in the respective encryption key server set are 
necessary to decrypt said data at that one of said 
plurality of encryption stages; 
25 means for decrypting, at least in part, said 

encrypted data, using less than all of said encryption 
key servers in said encryption key server set associated 

jvith.-S.aid at least one of said plurality of . encryption 

stages; and 

30 means for destroying said associated decryption 

keys by said encryption key servers at said associated 
expiration time. 
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65. A system for supporting data encryption, 
comprising: 

means for obtaining an encryption key associated 
5 . with an expiration time, said expiration time indicating 
a time at which a decryption key associated with said 
encryption key will be destroyed; 

means for encrypting data using said encryption 
key; and 

10 means for transmitting said encrypted data to a 

second party prior to said expiration time* 

66. A system for supporting data encryption, 
comprising : 

15 means for providing at least one encryption key 

associated with an expiration time; 

means for receiving data encrypted using said 
encryption key; 

means for decrypting, at least in part, said 
20 encrypted data using a decryption key associated with 

said encryption key; and 

means for destroying said decryption key associated 
with said encryption at said expiration time. 



-40- 



WO 01/20836 



PCT/US00/23997 



1/6 



r 



EKP1 
EKP2 
EKP3 
EKP4 
EKP5 



-10 



r 



14 



16 
A 



18 



EKPN 



Pub-Key, 


Priv-Key, 


Expiration Time t 


Pub-Key 2 


Priv-Key 2 


Expiration Time 2 


Pub-Key 3 


Priv-Key 3 


Expiration Time 3 


Pub-Key 4 


Priv-Key 4 


Expiration Time 4 


Pub-Key 5 


Priv-Key 5 


Expiration Time 5 


1 ! 
1 1 
1 " 1 


Pub-Key n 


Priv-Key n 


Expiration Time n 



Figure 1 



{KEY}, 



ephemeru!_key 



{MESSAGE}^ 



-30 



32 



34 



Figure 2 



WO 01/20836 



PCT/US00/23997 



2/6 



First party announces current ephemeral key pairs 



40 



Second party selects ephemeral key pair 
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Second party encrypts message using public key 
from selected ephemeral key pair 
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Second party passes message to first party 
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First party decrypts message using private key from 
selected ephemeral key pair 
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First party destroys ephemeral key pair 
at expiration time 
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